PatchSiren cyber security CVE debrief

CVE-2017-3386 Oracle CVE debrief

CVE-2017-3386 is a high-severity Oracle vulnerability affecting the Advanced Outbound Telephony component of Oracle E-Business Suite. According to the CVE record, an unauthenticated attacker with network access via HTTP can exploit the issue, but successful attacks require human interaction from another person. Oracle/NVD indicate the impact can include unauthorized access to critical data and unauthorized modification of some accessible data.

Vendor: Oracle
Product: CVE-2017-3386
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Advanced Outbound Telephony deployments should treat this as relevant. It matters most anywhere the affected E-Business Suite versions are exposed to network access and where users may interact with the vulnerable UI.

Technical summary

The NVD entry lists affected Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which reflects unauthenticated network exploitation, required user interaction, and strong confidentiality impact with limited integrity impact. NVD also classifies the weakness as NVD-CWE-noinfo.

Defensive priority

High. The vulnerability is network-reachable, does not require authentication, and can expose sensitive data. The required user interaction lowers exploitability somewhat, but the confidentiality impact and affected Oracle enterprise product surface justify prompt review and patching.

Recommended defensive actions

Confirm whether Oracle E-Business Suite Advanced Outbound Telephony is deployed in any environment.
Inventory the affected versions listed in the CVE record: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
Review Oracle's January 2017 security advisory referenced by NVD for remediation guidance.
Apply Oracle's available fixes or mitigations for the affected product and version where applicable.
Limit exposure of the affected application path to trusted networks while remediation is pending.
Remind users to be cautious with unexpected prompts or interactions in the affected UI until the issue is remediated.

Evidence notes

This debrief is grounded in the NVD CVE record and its references. The CVE description states that the issue is easily exploitable by an unauthenticated attacker with network access via HTTP, requires human interaction, and can lead to unauthorized access and some unauthorized data modification. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The affected versions are explicitly listed in the NVD metadata.

Official resources

CVE-2017-3386 CVE record
CVE.org
CVE-2017-3386 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

CVE published on 2017-01-27 and last modified in the supplied record on 2026-05-13. The NVD record cites Oracle's January 2017 security advisory as a reference.